Syllabus

CS 286 Course Syllabus

General information
- CS 286 --- Software Reverse Engineering
- Department of Computer Science
- San Jose State University
- Fall 2009 semester
Instructor Information
- Name: Mark Stamp
- Office: MQH 216
- Office hours: Friday 11:00am--3:00pm, or by appointment
- Phone: 408-924-5094
- email: stamp@cs.sjsu.edu
  - Email is the best way to contact me
  - Please put "CS286" at the beginning of the subject line
- Greensheet: http://www.cs.sjsu.edu/faculty/stamp/CS265/syllabus/syllabusFall08.html
- Who am I?
- Furlough days:
  - Tuesday, September 8
  - Tuesday, September 22
  - Tuesday, November 24
Course Overview and Description: The course will introduce the uses of Software Reverse Engineering (SRE) in both software development and software security. Teaching and learning SRE is best accomplished by running through scenarios that contain one or more concrete reversing objectives. Since SRE is highly dependent on adequate tools, one needs to be able to identify suitable reversing tools for each reversing objective. To that end, the course identifies the type of SRE tools that are available and how they can be used to reverse both machine (native) code, and Java bytecode.
Companion Website: There is no required textbook. A companion Web site containing SRE tools, reference material, and animated tutorials is provided at http://reversingproject.info/ This website has (or has links to) most of the information needed for this course. Many other online sources are available.
PowerPoint slides presented in class are available here.
Programs assigned or analyzed in class are available here.
Prerequisites: Familiarity (or a willingness to learn) the following concepts & technologies (on Windows):
- Intel x86 Architecture & Assembly Language
- A high-level language (C/C++) and corresponding compiler and run-time.
- The Java language and the Java Virtual Machine (JVM)
- Compiled versus interpreted languages (intermediate code versus machine code).
- The different types of Malware and their defining characteristics.
- A PC (or VMWare image) with Microsoft Windows XP or later installed.
Recommended Texts:
- E. Eliam, Secrets of Reverse Engineering, Indianapolis, IN: Wiley, 2005.
- A. Kalinovsky, Covert Java: Techniques for Decompiling, Patching, and Reverse Engineering, Indianapolis, IN: Sam's Publishing, 2004.
- K. Irvine, Assembly Language: For Intel-Based Computers, Upper Saddle River, NJ: Prentice Hall, 2007.
Required Readings:
- B. Behrens and R. Levary, "Practical Legal Aspects of SOFTWARE REVERSE ENGINEERING," in Communications of the ACM [Online], 41(2).
- G. Canfora and M. Di Penta, "New Frontiers of Reverse Engineering," in Proc. Future of Software Engineering, Minneapolis, MN, 2007, pp. 326-341.
- B. W. Weide, W. D. Heym, J. E. Hollingsworth, "Reverse engineering of legacy code exposed," in Proc. 17th Int. Conf. Software Engineering, Seattle, Washington, WA, 1995, pp. 327-331.
- H. M. Sneed, "Encapsualtion of legacy software: A technique for reusing legacy software components", in Ann. Software Engineering, v.9, n.4, pp.293-313, 2000.
Links to these articles and many more can be found here.
Course Outline:
1. Introduction (1 week)
  1. Reverse Engineering in Software Development
  2. Reverse Engineering in Software Security
2. Reversing and Patching Wintel Machine Code (3 weeks)
  1. Decompilation and Disassembly of Machine Code
  2. Wintel Machine Code Reversing and Patching Exercise(s)
3. Reversing and Patching Java Bytecode (2 weeks)
  1. Decompiling and Disassembling Java Bytecode
  2. Java Bytecode Reversing and Patching Exercise(s)
4. Applying Anti-Reversing Techniques to Wintel Machine Code (2 weeks)
  1. Eliminating Symbolic Information in Wintel Machine Code
  2. Basic Obfuscation of Wintel Machine Code
  3. Protecting Source Code Through Obfuscation
  4. Advanced Obfuscation of Machine Code
  5. Wintel Machine Code Anti-Reversing Exercise(s)
5. Applying Anti-Reversing Techniques to Java Bytecode (2 weeks)
  1. Eliminating Symbolic Information in Java Bytecode
  2. Preventing Decompilation of Java Bytecode
  3. Java Bytecode Code Anti-Reversing Exercise(s)
6. Reengineering and Reuse of Legacy Software Applications (2 weeks)
  1. Introduction to software reengineering and maintenance
  2. Legacy Software Reengineering and Reuse Exercise
7. Identifying, Monitoring, and Reporting Malware (2 weeks)
  1. Introduction to the Different Types of Malware
  2. Malware Identification and Monitoring Exercise(s)
Student Learning Objectives: The expected learning outcomes for students of the course are:
- An improved ability to understand, maintain, evolve, and secure software.
- An understanding of the most popular and relevant uses of software reversing.
- Facility with several software reverse engineering tools.
- Facility with assembly language and interpreted languages like Java Bytecode.
Grading:
1. Test 1, 100 points. Date: Tuesday, November 3 and Thursday, November 5.
2. Homework, quizzes, class participation and other work as assigned, 100 points. Note that a subset of the assigned problems will be graded.
3. Project, 100 points. The project is due in 2 parts, with the first part due Thursday, October 1 and the second part due Tuesday, November 24. Presentations will be given for each part, beginning on the due dates.
4. Final, 100 points.
  - Thursday, December 10 at 2:45pm
  - The official finals schedule is here: http://info.sjsu.edu/web-dbgen/narr/soc-fall/rec-227.html
5. Semester grade will be computed as a weighted average of the 4 major scores listed above.
6. No make-up tests or quizzes will be given and no late homework or project (or other work) will be accepted.
7. Nominal Grading Scale:
  
  Percentage Grade
  92 and above A
  90 - 91 A-
  88 - 89 B+
  82 - 87 B
  80 - 81 B-
  78 - 79 C+
  72 - 77 C
  70 - 71 C-
  68 - 69 D+
  62 - 67 D
  60 - 61 D-
  59 and below F
Homework: Homework is due typewritten (including source code) by 11:59pm on the due date. Each assigned problem requires a solution and an explanation (or work) detailing how you arrived at your solution. Cite any outside sources used to solve a problem. When grading an assignment, I may ask for additional information. Note that a subset of the assigned problems will be graded.

Zip your homework into a file named hmk.zip. Email your work to sjsu.cs286@gmail.com. The subject line of your email must be of the form:
```
     CS286HMK assignmentnumber yourlastname last4digitofyourstudentnumber 
```
That is, the subject line must consist of four identifiers. There is no space within an identifier and each identifier is separated by a space.
- Assignment 1: Due Tuesday, September 1
  Obtain and install OllyDbg (or a similar tool). Download the file serial.zip and extract the files serial.exe and serial2.exe. For each program, create a patched version for which any serial number works, and also determine the serial number.
- Assignment 2: Due Thursday, September 10
  1. Write a C program that includes all of the elements listed below. Then compile your program and disassemble the resulting exe. Using only a static view of the disassembled code, determine the assembly code that corresponds to each element. Your solution must clearly show each element in source code and the corresponding disassembly.
    1. simple if (i.e., no else clause)
    2. "shorthand" if, i.e., use the ? operator---for example, x = (y < 0) ? -y : y;
    3. compound if (i.e., include && or || or both)
    4. if/else
    5. if/elseif/elseif/.../else
    6. switch statement (with at least 3 case statements and a default case)
    7. simple for loop
    8. for loop with a break
    9. for loop with a continue
    10. while loop
    11. do loop
    12. array
    13. function call (include both the CALL and RET)
    14. each of the integer arithmetic operations, +, -, *, /, and %
    15. each of the floating point arithmetic operations, +, -, *, and /
  2. For serial2.exe (see assignment 1), analyze the method used to obfuscate the strings. Give another method for obfuscating literals that you believe would be more difficult to reverse.
- Assignment 3: Due Tuesday, September 15
  1. Examine the PE file ntdll.dll (in the system32 directory) and provide the following information. Give all numbers in hex unless otherwise specified.
    1. Number of sections and name of each section
    2. Size of the optional header.
    3. "Magic number" (in hex and in ASCII).
    4. Size of code.
    5. Size of initialized data.
    6. Address of entry point.
    7. Base of code.
    8. Base of data.
    9. Number of exported "symbols" (in decimal).
    10. Name and entry point of export symbol with ordinal 27.
    11. Size of relocation table.
  2. Examine the PE file crypt32.dll (in the system32 directory) and provide the following information. Give all numbers in hex unless otherwise specified.
    1. Number of sections and name of each section
    2. Size of the optional header.
    3. "Magic number" (in hex and in ASCII).
    4. Size of code.
    5. Size of initialized data.
    6. Address of entry point.
    7. Base of code.
    8. Base of data.
    9. Number of exported "symbols" (in decimal).
    10. Name and entry point of export symbol with ordinal 1027.
    11. Size of relocation table.
    12. Number of DLLs that are imported.
    13. RVA of imported symbol "CryptGenRandom"
- Assignment 4: Due Thursday, September 24
  1. Write a Java application and obfuscate it using ProGuard. Only use options under the "obfuscation" button (i.e., no shrinking, no optimization, etc.) and select the "print mapping" option. Give your obfuscated program to someone else in the class, who must patch the program. Give your victim precise instructions on what the patched program is supposed to do. Be reasonable!
  2. You must also obtain an obfuscated program (created using ProGuard) from another student and patch it according to the other student's instructions. You cannot obtain this program from the same person who will be patching your program.
  3. Obfuscate the Java application you wrote for Problem 1 using SandMark. Select the "obfuscate" tab and the "Class Encrypter" option. You may also select other obfuscation options if desired. The challenge is to generate a decompiled version of your program directly from the obfuscated code (i.e., without using SandMark or any similar tool and without reference to the original Java code). This will require that you decrypt the encrypted classes in the obfuscated code.
- Assignment 5: Due Tuesday, October 6, before 3:00pm
  Note: Email this assignment to stamp@cs.sjsu.edu with subject line "CS286 Project 1"
  1. Turn in a Windows exe and the source code for your Project 1 software, along with detailed instructions on how to compile it.
  2. Provide a written description of what your software does and what you would expect another student team to do with your project to break its security. You must be specific when discussing the security feature you expect to be broken. Note that this description will be given to the student team that is assigned to your project.
  3. Provide a detailed description of all anti-reversing techniques that you applied to your software. Include a discussion of the effectiveness of each technique with respect to your particular software. This information will not be given to the student team that is assigned to your project.
- Assignment 6: Due Tuesday, October 13
  1. Modify the program serial.c to test for a debugger using IsDebuggerPresent. The program should silently terminate if a debugger is detected. Turn in your source code along with an explanation of what happens when you try to debug the code.
  2. Turn in a screenshot showing that you were able to debug your program in problem 1, in spite of the IsDebuggerPresent code. Write a short explanation of how you were able to bypass the IsDebuggerPresent check.
  3. Repeat problem 1, but instead of using IsDebuggerPresent, use the assembly code that appears on slide 39 of the SRE_anti-reversing.ppt slides. How much more difficult would it be to bypass this debugger check?
  4. Using serial.c, test each of the anti-disassembly techniques that appear on the following SRE_anti-reversing.ppt slide: 45, 47, 48, and 49. In each case, turn in your source code and describe the resulting disassembly that is produced in OllyDbg and in IDAPro.
  5. Again using serial.c, develop your own anti-disassembly technique that does a better job of confusing both OllyDbg and IDAPro than any of the techniques tested in the previous problem. Turn in your source code and explain what you did and describe how much the assembly code was garbled in both OllyDbg and IDAPro. How difficult would it be to reverse engineer code that included your anti-disassembly technique?
- Assignment 7: Due Thursday, October 22
  1. "Rip" the keygen algorithm from the code, keygen.exe, found here. That is, extract the keygen assembly code from the application and use it directly in your own program, where your program takes any valid username as input and produces a valid serial number.
  2. Analyze the keygen algorithm used in keygen.exe and provide a description of the process used.
  3. Which is easier, ripping the keygen algorithm from the disassembly of keygen.exe, or analyzing the code and writing an equivalent version from scratch? Explain.
- Assignment 8: Due ~~Thursday, November 12~~ Tuesday, November 17
  The program "Defender.exe" can be found here and the slides that cover this application are here. Write your own application, "defender2" that requires a username and a serial number as input. Your program must implement a keygen algorithm (of your own design) and check that the username and serial number are valid.
  1. Your program, defender2, must include the following security features found in Defender.exe.
    - Encrypted code. The encrypted code should only be decrypted when it is reached during normal execution, as opposed to being decrypted when the application first begins.
    - A secondary "killer" thread that kills the application if the main thread is too slow (as would be the case if the application is being debugged).
  2. Show that you can defeat both of the protections in you application, defender2.
- Assignment 9: Due TBD
- Assignment 10: Due TBD
- Assignment 11: Due TBD
Other Important Stuff:
- No extra credit is anticipated
- Keys to success: Do the homework, do high quality work on the projects, attend class
- Wireless laptop is required. Your laptop must remain closed (preferably in your backpack and, in any case, not on your desk) until I inform you that it is needed for a particular activity
- Cheating will not be tolerated...
- ...but working together is encouraged
- Student must be respectful of the teacher and other students.
  - No disruptive or annoying talking
  - Turn off cell phones
  - Class begins on time
  - Class is not over until I say it's over
  - Etc.
- Disability information and policies can be found here
- Valid picture ID required at all times
- Why study security?
- Guest lecture(s)
  - Speaker: Vaibhav Pandya
    Title: iPhone Security Analysis
    Date: Tuesday, November 10
    Time: 3:00pm
    Location: MH 225
    Abstract:
    The release of Apple's iPhone was one of the most intensively publicized product releases in the history of mobile devices. While the iPhone wowed users with its exciting design and features, it also outraged many for not allowing installation of third party applications and for working exclusively with AT&T wireless services for the first two years. Software attacks have been developed to get around both limitations. The development of those attacks and further evaluation revealed several vulnerabilities in iPhone security. In this paper, we examine several of the attacks developed for the iPhone as a way of investigating the iPhone�s security structure. We also analyze the security holes that have been discovered and make suggestions for improving iPhone security.
Boring Stuff:

Percentage	Grade
92 and above	A
90 - 91	A-
88 - 89	B+
82 - 87	B
80 - 81	B-
78 - 79	C+
72 - 77	C
70 - 71	C-
68 - 69	D+
62 - 67	D
60 - 61	D-
59 and below	F